Tags | Security | Authentication | SCIM |
This documentation is for Stack Overflow Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.
Overview
System for Cross-domain Identity Management (SCIM) is an open API for securely sharing user information between online systems. In Stack Overflow for Teams Enterprise (SOE), SCIM support allows an Identity Provider (IdP) to automatically update Stack Overflow with the user's activation status and/or role. Unlike SAML 2.0, which passes user information only at login, SCIM sends updates whenever they occur. This provides SOE near-real-time updates to user status and role as changes happen at the IdP.
Supported activites
The SCIM integration supports the following activities for users that have already been created in SOE:
Deactivate a user.
Reactivate a deactivated user.
Promote/demote a user between administrator, moderator, and regular user roles.
SOE's SCIM integration will not create users. Users must still log in with a valid assertion from their IdP to create an account. That is, Stack Overflow uses "just in time" provisioning when a user presents a valid identity assertion. It does not support user creation over SCIM.
Enabling SCIM support does not disable user management options within SOE. This means a user may have an active status in the IdP, yet be deactivated in SOE through the admin user management settings. We recommend standardizing on a single provisioning workflow within your organization to avoid confusion.
Configure SCIM support on SOE
The SCIM configuration on SOE is the same regardless of IdP.
As an SOE admin, click Admin Settings in the left-hand menu. Click SCIM under the "ACCESS MANAGEMENT" heading.
Configure the following settings:
SCIM Set to On to enable SCIM.
SCIM authorization bearer token Create a token (password) you'll later enter into the SCIM configuration on Entra ID. You can enter any string of characters, but be sure to follow best practices for creating a strong password. SOE hides the value by default. Click Show password to view and copy the value.
Allow Moderator Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and moderator roles.
Allow Admin Promotion via a userType property Check this box to enable SCIM promotion/demotion between regular user and admin roles.
Click Save settings.
Configure the Identity Provider
The following instructions are general instructions for SCIM compliant systems. If you're using one of the following IdPs, follow the links for detailed configuration information.
The IdP must send SCIM requests to https://[your_site]/api/scim/v2. In addition, the IdP must send the following values part of the user resource to correctly map the user and set their status:
userNameThe user ID (must match the User Identifier Assertion at https://[your_site]/enterprise/auth-settings).active(true/false) Determines whether or not the user should be deactivated or reactivated in SOE.Required fields for SCIM (these are commonly mapped for you by your IdP, requiring no action on your part):
name.givenNamename.familyNameemails
userType(optional) Requires enabling Allow Moderator Promotion via a userType property and/or Allow Admin Promotion via a userType property on the SCIM Integration settings page on SOE. SOE will change a user's role based on the followinguserTypevalues: Registered, Moderator, or Admin.
NOTE: Microsoft Entra ID SCIM doesn't support user role promotion or demotion.
If your IdP does not support SCIM, an alternative is to have a separate application issuing the SCIM API calls to https://[your_site]/api/scim/v2 as outlined above.
If you need further support or have questions, contact your site administrator.